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DETAILED ACTION 

1 . This is in response to the arguments filed on 28 March 2007. 

2. Claims 1-21 are pending in the application. 

3. Claims 1-21 have been rejected. 

Information Disclosure Statement 

4. The examiner has considered the information disclosure statement filed on 28 March 2007. 

Response to Arguments 

5. Applicant's arguments filed 28 March 2007 have been fully considered but they are not 
persuasive. 

On page 8, the applicant argues that McClure does not teach or suggest, "receiving, from 
an intrusion detection sensor, one or more packets associated with an alarm indicative of a 
potential attack on a target host". 

The examiner respectfully disagrees. McClure discloses sometimes, in order to "force" a 
response from the target computer, an intruder may send a malformed packet to a target port. 
While this known technique increases the likelihood that an open UDP port on the target 
computer can be identified, this technique also substantially increases the likelihood that the 
malformed packet could damage the target computer. Also, firewalls or routers may detect and 
filter out malformed packets, and such packets can alert the target network of an attempted 
security breach. 
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Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

6. Claims 1-21 are rejected under 35 U.S.C. 102(e) as being anticipated by McClure et al 
U.S. 7,152,105 B2. 

As to claim 1, McClure et al discloses a computerized method for reducing the false 
alarm rate of network intrusion detection systems, comprising: 

receiving, from a network intrusion detection sensor, one or more data 
packets associated with an alarm indicative of a potential attack on a target host 
[column 17 line 29 to column 18 line 50]; 

identifying characteristics of the alarm from the data packets, including at 
least an attack type and an operating system fingerprint of the target host [column 
1 7 line 29 to column 1 8 line 50] ; 

identifying the operating system type from the operating system 
fingerprint [column 17 line 29 to column 18 line 50]; 

comparing the attack type to the operating system type [column 17 line 29 
to column 18 line 50]; and 

indicating whether the target host is vulnerable to the attack based on the 
comparison [column 17 line 29 to column 18 line 50]. 
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As to claims 2 and 17, McClure et al discloses storing the operating system fingerprint of 
the target host in a storage location for a time period [column 18, lines 20-42]. 

As to claims 3, 9 and 18, McClure et al discloses the computerized further comprising: 

monitoring a dynamic configuration protocol server [column 22, lines 32- 

67]; 

detecting that a lease issue has occurred for a new target host [column 22, 
lines 32-67]; 

accessing a storage location [column 22, lines 32-67]; 

determining whether an operating system fingerprint for the new target 
host already exists in the storage location [column 22, lines 32-67]; and 

if the operating system fingerprint for the new target host does exist, then 
purging the existing operating system fingerprint for the new target host from the 
storage location [column 22, lines 32-67]. 
As to claims 4, 10 and 19, McClure et al discloses the computerized further comprising: 

monitoring a dynamic configuration protocol server [column 22, lines 32- 

67]; 

detecting that a lease expire has occurred for an existing target host 
[column 22, lines 32-67]; 

accessing a storage location [column 22, lines 32-67]; 

determining whether an operating system fingerprint for the existing target 
host already exists in the storage location [column 22, lines 32-67]; and 
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if the operating system fingerprint for the existing target host does not 
exist, then disregarding the lease expire [column 22, lines 32-67]; and 

if the operating system fingerprint for the existing target host does exist, 
then purging the existing operating system fingerprint for the existing target host 
from the storage location [column 22, lines 32-67]. 
As to claims 5 and 20, McClure et al discloses the computerized further comprising: 

after receiving the data packets, determining whether a format for the 
alarm is valid [column 23, lines 26-52]; and 

if the format is not valid, then disregarding the alarm [column 23, lines 26- 
52]; otherwise 

if the format is valid, then continuing the computerized method with the 
identifying characteristics step [column 23, lines 26-52], 
As to claims 6, 11 and 21, McClure et al discloses automatically alerting a network 
administrator if the target host is vulnerable to the attack [column 17 line 29 to column 18 line 
50]. 

As to claim 7, McClure et al discloses a system for reducing the false alarm rate of 
network intrusion detection systems, comprising: 

a network intrusion detection system operable to transmit one or more data 
packets associated with an alarm indicative of a potential attack on a target host 
[column 17 line 29 to column 18 line 50]; 

a software program embodied in a computer readable medium, the 
software program, when executed by a processor, operable to: 
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receive the one or more data packets [column 17 line 29 to column 
18 line 50]; 

identify characteristics of the alarm from the data packets, 
including at least an attack type and an operating system fingerprint of the 
target host [column 17 line 29 to column 18 line 50]; 

identify the operating system type from the operating system 
fingerprint [column 17 line 29 to column 18 line 50]; 

compare the attack type to the operating system type [column 17 
line 29 to column 18 line 50]; and 

indicate whether the target host is vulnerable to the attack based on 
the comparison [column 17 line 29 to column 18 line 50]. 
As to claim 8, McClure et al discloses a storage location operable to store the operating 
system fingerprint of the target host for a time period [column 26, lines 25-35]. 

As to claim 12, McClure et al discloses that the software program has no knowledge of 
the protected network architecture [column 24, lines 50-67]. 

As to claim 13, McClure et al discloses that the software program has no access to the 
protected network [column 24, lines 50-67]. 

As to claim 14, McClure et al discloses that the NIDS is vendor independent [column 12, 
lines 30-49]. 

As to claim 15, McClure et al discloses that the NIDS does not support passive operating 
system fingerprinting [column 12, lines 30-49], 
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As to claim 16, McClure et al discloses a system for reducing the false alarm rate of 
network intrusion detection systems, comprising: 

means for receiving, from a network intrusion detection sensor, one or 
more data packets associated with an alarm indicative of a potential attack on a 
target host [column 17 line 29 to column 18 line 50]; 

means for identifying characteristics of the alarm from the data packets, 
including at least an attack type and an operating system fingerprint of the target 
host [column 17 line 29 to column 18 line 50]; 

means for identifying the operating system type from the operating system 
fingerprint [column 17 line 29 to column 18 line 50]; 

means for comparing the attack type to the operating system type [column 
17 line 29 to column 18 line 50]; and 

means for indicating whether the target host is vulnerable to the attack 
based on the comparison [column 17 line 29 to column 18 line 50], 
As to claim 20, McClure et al discloses the system further comprising: 

after receiving the data packets, means for determining whether a format 
for the alarm is valid [column 23, lines 26-52]; and 

if the format is not valid, then means for disregarding the alarm [column 
23, lines 26-52]. 
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Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this' final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 



Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Aravind K Moorthy 
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